CERT Summary CS-2003-04

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 11/24/03

  • Next message: CERT Advisory: "CERT Summary CS-2003-04"
    Date: Mon, 24 Nov 2003 15:27:10 -0500
    To: cert-advisory@cert.org


    CERT Summary CS-2003-04

       November 24, 2003

       Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
       Summary to draw attention to the types of attacks reported to our
       incident response team, as well as other noteworthy incident and
       vulnerability information. The summary includes pointers to sources of
       information for dealing with the problems.

       Past CERT summaries are available from:

              CERT Summaries

    Recent Activity

       Since the last regularly scheduled CERT summary, issued in September
       2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft
       Windows Workstation Service, RPCSS Service, and Exchange. We have also
       documented vulnerabilities in various SSL/TLS implementations, a
       buffer overflow in Sendmail, and a buffer management error in OpenSSH.
       We have received reports of W32/Swen.A, W32/Mimail variants, and
       exploitation of an Internet Explorer vulnerability reported in August
       of 2003.

       For more current information on activity being reported to the
       CERT/CC, please visit the CERT/CC Current Activity page. The Current
       Activity page is a regularly updated summary of the most frequent,
       high-impact types of security incidents and vulnerabilities being
       reported to the CERT/CC. The information on the Current Activity page
       is reviewed and updated as reporting trends change.

              CERT/CC Current Activity

        1. W32/Mimail Variants

           The CERT/CC has received reports of several new variants of the
           'Mimail' worm. The most recent variant of the worm (W32/Mimail.J)
           arrives as an email message alleging to be from the Paypal
           financial service. The message requests that the recipient
           'verify' their account information to prevent the suspension of
           their Paypal account. Attached to the email is an executable file
           which captures this information (if entered), and sends it to a
           number of email addresses.

                    Current Activity - November 19, 2003

        2. Buffer Overflow in Windows Workstation Service

           A buffer overflow vulnerability exists in Microsoft's Windows
           Workstation Service (WKSSVC.DLL) allowing an attacker to execute
           arbitrary code or cause a denial-of-service condition.

                    CERT Advisory CA-2003-28
                    Buffer Overflow in Windows Workstation Service

                    Vulnerability Note VU#567620
                    Microsoft Windows Workstation service vulnerable to
                    buffer overflow when sent specially crafted network

        3. Multiple Vulnerabilities in Microsoft Windows and Exchange

           Multiple vulnerabilities exist in Microsoft Windows and Microsoft
           Exchange, the most serious of which could allow remote attackers
           to execute arbitrary code.

                    CERT Advisory CA-2003-27
                    Multiple Vulnerabilities in Microsoft Windows and

                    Vulnerability Note VU#575892
                    Buffer overflow in Microsoft Windows Messenger Service

                    Vulnerability Note VU#422156
                    Microsoft Exchange Server fails to properly handle
                    specially crafted SMTP extended verb requests

                    Vulnerability Note VU#467036
                    Microsoft Windows Help and support Center contains buffer
                    overflow in code used to handle HCP protocol

                    Vulnerability Note VU#989932
                    Microsoft Windows contains buffer overflow in Local
                    Troubleshooter ActiveX control (Tshoot.ocx)

                    Vulnerability Note VU#838572
                    Microsoft Windows Authenticode mechanism installs ActiveX
                    controls without prompting user

                    Vulnerability Note VU#435444
                    Microsoft Outlook Web Access (OWA) contains cross-site
                    scripting vulnerability in the "Compose New Message" form

                    Vulnerability Note VU#967668
                    Microsoft Windows ListBox and ComboBox controls vulnerable
                    to buffer overflow when supplied crafted Windows message

        4. Multiple Vulnerabilities in SSL/TLS Implementations

           Multiple vulnerabilities exist in the Secure Sockets Layer (SSL)
           and Transport Layer Security (TLS) protocols allowing an attacker
           to execute arbitrary code or cause a denial-of-service condition.

                    CERT Advisory CA-2003-26
                    Multiple Vulnerabilities in SSL/TLS Implementations

                    Vulnerability Note VU#935264
                    OpenSSL ASN.1 parser insecure memory deallocation

                    Vulnerability Note VU#255484
                    OpenSSL contains integer overflow handling ASN.1 tags (1)

                    Vulnerability Note VU#380864
                    OpenSSL contains integer overflow handling ASN.1 tags (2)

                    Vulnerability Note VU#686224
                    OpenSSL does not securely handle invalid public key when
                    configured to ignore errors

                    Vulnerability Note VU#732952
                    OpenSSL accepts unsolicited client certificate messages

                    Vulnerability Note VU#104280
                    Multiple vulnerabilities in SSL/TLS implementations

                    Vulnerability Note VU#412478
                    OpenSSL 0.9.6k does not properly handle ASN.1 sequences

        5. Exploitation of Internet Explorer Vulnerability

           The CERT/CC received a number of reports indicating that attackers
           were actively exploiting the Microsoft Internet Explorer
           vulnerability described in VU#865940. These attacks include the
           installation of tools for launching distributed denial-of-service
           (DDoS) attacks, providing generic proxy services, reading
           sensitive information from the Windows registry, and using a
           victim system's modem to dial pay-per-minute services. The
           vulnerability described in VU#865940 exists due to an interaction
           between IE's MIME type processing and the way it handles HTML
           application (HTA) files embedded in OBJECT tags.

                    CERT Advisory IN-2003-04
                    Exploitation of Internet Explorer Vulnerability

                    Vulnerability Note VU#865940
                    Microsoft Internet Explorer does not properly evaluate
                    "application/hta" MIME type referenced by DATA attribute
                    of OBJECT element

        6. W32/Swen.A Worm

           On September 19, the CERT/CC began receiving a large volume of
           reports of a mass mailing worm, referred to as W32/Swen.A,
           spreading on the Internet. Similar to W32/Gibe.B in function, this
           worm arrives as an attachment claiming to be a Microsoft Internet
           Explorer Update or a delivery failure notice from qmail. The
           W32/Swen.A worm requires a user to execute the attachment either
           manually or by using an email client that will open the attachment
           automatically. Upon opening the attachment, the worm attempts to
           mail itself to all email addresses it finds on the system. The
           CERT/CC updated the current activity page to contain further
           information on this worm.

                    Current Activity - September 19, 2003

        7. Buffer Overflow in Sendmail

           Sendmail, a widely deployed mail transfer agent (MTA), contains a
           vulnerability that could allow an attacker to execute arbitrary
           code with the privileges of the sendmail daemon, typically root.

                    CERT Advisory CA-2003-25
                    Buffer Overflow in Sendmail

                    Vulnerability Note VU#784980
                    Sendmail prescan() buffer overflow vulnerability

        8. Buffer Management Vulnerability in OpenSSH

           A remotely exploitable vulnerability exists in a buffer management
           function in versions of OpenSSH prior to 3.7.1. This vulnerability
           could enable an attacker to cause a denial-of-service condition.

                    CERT Advisory CA-2003-24
                    Buffer Management Vulnerability in OpenSSH

                    Vulnerability Note VU#333628
                    OpenSSH contains buffer management errors

        9. RPCSS Vulnerabilities in Microsoft Windows

           On September 10, the CERT/CC reported on three vulnerabilities
           that affect numerous versions of Microsoft Windows, two of which
           are remotely exploitable buffer overflows that may an allow an
           attacker to execute code with system privileges.

                    CERT Advisory CA-2003-23
                    RPCSS Vulnerabilities in Microsoft Windows

                    Vulnerability Note VU#483492
                    Microsoft Windows RPCSS Service contains heap overflow in
                    DCOM activation routines

                    Vulnerability Note VU#254236
                    Microsoft Windows RPCSS Service contains heap overflow in
                    DCOM request filename handling

                    Vulnerability Note VU#326746
                    Microsoft Windows RPC service vulnerable to
                    denial of service

    New CERT Coordination Center (CERT/CC) PGP Key

       On October 15, the CERT/CC issued a new PGP key, which should be used
       when sending sensitive information to the CERT/CC.

              CERT/CC PGP Public Key

              Sending Sensitive Information to the CERT/CC

    What's New and Updated

       Since the last CERT Summary, we have published new and updated
         * Advisories
         * Vulnerability Notes
         * CERT/CC Statistics
         * Congressional Testimony
         * Training Schedule
         * CSIRT Development

       This document is available from:

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

       If you prefer to use DES, please call the CERT hotline for more

    Getting security information

       CERT publications and other security information are available from
       our web site

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.

       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----

  • Next message: CERT Advisory: "CERT Summary CS-2003-04"